In the information age, data is everywhere — it is a commodity to be held and bartered, it is a currency that fuels transactions between organizations, consumers and governments. Yet when a breach of individuals’ private information occurs, the characteristics of the data are treated as an afterthought. While an attempt may be made to determine what was lost or to utilize computer forensics to stop an active attack, minimal thought is given to matching an appropriate consumer remedy to the risk profile of the data breach.
Data breach is not a “one size fits all” proposition. The costs of a breach are directly tied to the specific circumstances of that breach and the type of Personally Identifying Information (PII) and Protected Health Information (PHI) involved. Failure to properly evaluate the risks associated with an organization’s specific data breach event can exacerbate several external factors, including the likelihood that the breach will result in a class action suit; subject the organization to regulatory fines and penalties; attract negative attention from media and the public; and finally, lead to the subsequent identity theft issues of those affected by the breach.
Kroll advocates a risk-based approach to evaluating a data breach event. This data-driven method focuses on four interdependent factors that vary in importance depending upon the circumstances of the breach, but all must be considered to present a clear picture of risk:
How did the data breach occur?
What was the size of the breach?
What type of PII/PHI was exposed?
Who is the impacted population?